Napalm ansible

Napalm ansible DEFAULT

Introduction

In this blog post, we used Ansible to interact with our IOS XE devices through a module called . We followed up with using the module for Ansible, check this post. In this post, we will use Ansible with NAPALM. Have a look at this Github project.

For all the examples, we will use a Cisco sandbox environment delivered by Cisco Devnet. To get a list of all sandboxes, check out this link. For this blog post, we will use the IOS XE sandbox.

Installation

Installation is pretty simple.

I got some issues after installing the napalm-ansible, as my Python installation could not find the proper library in the site-packages. This was mainly because I run multiple versions of Python on my laptop and it kind of messed up a little bit. Therefore, it’s import you know the sites-packages directory that Napalm and Napalm-Ansible got installed.

It’s important to follow the instructions on the napalm-ansible Github repo. It mentions there that you need to create an ansible.cfg file and specify the and variables. Here’s what my file looks like.

NAPALM-Ansible functions

NAPALM-Ansible module primarily works with 3 functions:

  • napalm_get_facts: wrapper around the NAPALM getter methods, it users a filter to select only the items that you are interested in
  • napalm_install_config: wrapper around all the NAPLM configuration options such as merging and replacing a configuration, getting the diff of a change and commit/roll back of a change
  • napalm_validate: uses a YAML or JSON file (with intended configuration) to compare against the actual configuration

Retrieve information from IOSXE device

Have a look at the information for . It allows you to gather facts from a network device through NAPALM. Here’s an example:

When we run the above script, we see the following output.

We get a nice overview of the basic information of our IOS device but this time through the NAPALM module. In case you want to retrieve a list of interfaces, change the following line:

to

As such, you will receive a list of the configured interfaces as well.

Other paramets you could use for filter are: mac_address_table, arp_table, bgp_config, bgp_neighbors, bgp_neighbors_detail, interfaces_counters, interfaces_ip, lldp_neighbors, lldp_neighbors_detail, network_instances, ntp_servers, ntp_stats, users…and some more.

Execute commands

Have a look at the information for module. It allows you to execute commands on your IOS XE device. Have a look at the below script which executes two simple commands.

And you will get the following output. Note that I truncated the output quite a bit.

Create loopback interfaces

In this section, we will focus on adding some Loopback interfaces. We will use NAPALM’s merge function for that. Again, a similar example was discussed in an earlier post although this was done through Python. Here we will use the ansbible-napalm module.

Let’s create a loopbacks.txt file. This file contains the configuration for the interfaces:

Next, let’s have a look at the Ansible playbook. Again, Napalm-Ansible module makes it fairly straightforward for us.

The important part is that we point to our loopbacks.txt file we created earlier. The will allow us to merge/replace the configuration. If set to true, we will merge the loopbacks information with the existing configuration. The is set to false, which means we will not replace the entire configuration. The will indicate that we want a diff to be generated between the existing and the new configuration. The will let you select the path where the diff file will be stored.

Before we continue, let’s see the current overview of configured interfaces on our device.

When we execute the ansible playbook, we get the following:

When we look in our device, we will see the following:

And also, you’ll notice a diff file has been created (in the current directory) with the following contents:

NAPALM Validation

We discussed NAPALM validation already in this post. The idea is to check or validate the configuration on our device. We learned that we need to create a validation file which contains the proper values. In our case, we would want to validate whether the device is running a particular software version and we would like to validate the IP address of the loopback interface. Let’s do this first, the validation file looks as follows:

In this post, we would obviously like to use Napalm-ansible module. The playbook is in fact very straightforward:

You’ll notice that we reference the variable so do not forget to add this variable in the group_vars/iosxe.yaml file.

Let’s execute this playbook next.

You will notice the validation was successful. Let’s change the value of the IP address inside the validation.yml file. We will change it from 4.4.4.101 to 4.4.4.102 so we expect the validation to fail. Let’s have a look:

In the above output, you will notice that the compliance status is false as expected.

Check out my Github repo for these examples. Hope to see you back soon.

Sours: https://blog.wimwauters.com/networkprogrammability/2020-05-08_ansible_iosxe_napalm/

ansible.netcommon.napalm – Provides persistent connection using NAPALM

ParameterChoices/DefaultsConfigurationCommentshost

string

Default:

"inventory_hostname"

var: ansible_host

Specifies the remote device FQDN or IP address to establish the SSH connection to.

host_key_auto_add

boolean

    Choices:
  • no ←

  • yes
ini entries:

[paramiko_connection]
host_key_auto_add = no

env:ANSIBLE_HOST_KEY_AUTO_ADD

By default, Ansible will prompt the user before adding SSH keys to the known hosts file. By enabling this option, unknown host keys will automatically be added to the known hosts file.

Be sure to fully understand the security implications of enabling this option on production systems as it could create a security vulnerability.

network_os

string

var: ansible_network_os

Configures the device platform network operating system. This value is used to load a napalm device abstraction.

password

string

var: ansible_password

var: ansible_ssh_pass

var: ansible_ssh_password

Configures the user password used to authenticate to the remote device when first establishing the SSH connection.

persistent_command_timeout

integer

Default:

30

ini entries:

[persistent_connection]
command_timeout = 30

env:ANSIBLE_PERSISTENT_COMMAND_TIMEOUT

var: ansible_command_timeout

Configures, in seconds, the amount of time to wait for a command to return from the remote device. If this timer is exceeded before the command returns, the connection plugin will raise an exception and close.

persistent_connect_timeout

integer

Default:

30

ini entries:

[persistent_connection]
connect_timeout = 30

env:ANSIBLE_PERSISTENT_CONNECT_TIMEOUT

var: ansible_connect_timeout

Configures, in seconds, the amount of time to wait when trying to initially establish a persistent connection. If this value expires before the connection to the remote device is completed, the connection will fail.

persistent_log_messages

boolean

    Choices:
  • no ←

  • yes
ini entries:

[persistent_connection]
log_messages = no

env:ANSIBLE_PERSISTENT_LOG_MESSAGES

var: ansible_persistent_log_messages

This flag will enable logging the command executed and response received from target device in the ansible log file. For this option to work 'log_path' ansible configuration option is required to be set to a file path with write access.

Be sure to fully understand the security implications of enabling this option as it could create a security vulnerability by logging sensitive information in log file.

port

integer

Default:

22

ini entries:

[defaults]
remote_port = 22

env:ANSIBLE_REMOTE_PORT

var: ansible_port

Specifies the port on the remote device that listens for connections when establishing the SSH connection.

private_key_file

string

ini entries:

[defaults]
private_key_file = None

env:ANSIBLE_PRIVATE_KEY_FILE

var: ansible_private_key_file

The private SSH key or certificate file used to authenticate to the remote device when first establishing the SSH connection.

remote_user

string

ini entries:

[defaults]
remote_user = None

env:ANSIBLE_REMOTE_USER

var: ansible_user

The username used to authenticate to the remote device when the SSH connection is first established. If the remote_user is not specified, the connection will use the username of the logged in user.

Can be configured from the CLI via the or options.

timeout

integer

Default:

120

Sets the connection time, in seconds, for communicating with the remote device. This timeout is used as the default timeout value for commands when issuing a command to the network CLI. If the command does not return in timeout seconds, an error is generated.

Sours: https://docs.ansible.com/ansible/latest/collections/ansible/netcommon/napalm_connection.html
  1. Condos in kenner
  2. Msi motherboard manual pdf
  3. Snow joe cordless
  4. Real estate riviera maya
  5. Scriptures about peaceful sleep kjv

napalm-ansible¶

Collection of ansible modules that use napalm to retrieve data or modify configuration on networking devices.

Modules¶

The following modules are currently available:

  • napalm_get_facts
  • napalm_install_config
  • napalm_validate

Install¶

To install, clone napalm-ansible into your ansible module path. This will depend on your own setup and contents of your ansible.cfg file which tells ansible where to look for modules. For more in-depth explanation, see the Ansible Docs.

If your ansible.cfg looks like:

[defaults]library=~/workspace/napalm-ansible

Then you can do the following:

If your ansible.cfg looks like:

[defaults]library=~/workspace/napalm-ansible

Then you can do the following:

cd~/workspacegitclonehttps://github.com/napalm-automation/[email protected]:~/workspacels-latotal12drwxrwxr-x3useruser4096Feb2612:51.drwxr-xr-x7useruser4096Feb2612:49..drwxrwxr-x5useruser4096Feb2612:51napalm-ansible

From here you would add your playbook(s) for your project, for example:

[email protected]:~/workspacels-latotal12drwxrwxr-x3useruser4096Feb2612:51.drwxr-xr-x7useruser4096Feb2612:49..drwxrwxr-x5useruser4096Feb2612:51napalm-ansibledrwxrwxr-x5useruser4096Feb2612:53ansible-playbooks

Dependencies¶

napalm 1.00.0 or later

Examples¶

Example to retrieve facts from a device:

-name:getfactsfromdevicenapalm_get_facts:hostname={{inventory_hostname}}username={{user}}dev_os={{os}}password={{passwd}}filter='facts,interfaces,bgp_neighbors'register:result-name:printdatadebug:var=result

Example to install config on a device:

-assemble:src=../compiled/{{inventory_hostname}}/dest=../compiled/{{inventory_hostname}}/running.conf-napalm_install_config:hostname={{inventory_hostname}}username={{user}}dev_os={{os}}password={{passwd}}config_file=../compiled/{{inventory_hostname}}/running.confcommit_changes={{commit_changes}}replace_config={{replace_config}}get_diffs=Truediff_file=../compiled/{{inventory_hostname}}/diff

Example to get compliance report:

-name:GETVALIDATIONREPORTnapalm_validate:username:"{{ un }}"password:"{{ pwd }}"hostname:"{{ inventory_hostname }}"dev_os:"{{ dev_os }}"validation_file:validate.yml

A More Detailed Example¶

It’s very often we come to these tools needing to know how to run before we can walk. Please review the Ansible Documentation as this will answer some basic questions. It is also advised to have some kind of yaml linter or syntax checker available.

Non parameterized example with comments to get you started:

-name:TestInventory#The Task Namehosts:cisco#This will be in your ansible inventory fileconnection:local#Requiredgather_facts:no#Do not gather factstasks:#Begin Tasks-name:getfactsfromdevice#Task Namenapalm_get_facts:#Call the napalm module, in this case napal_get_factsoptional_args:{'secret':password}#The enable password for Cisco IOShostname:"{{ inventory_hostname }}"#This is a parameter and is derived from your ansible inventory fileusername:'user'#The username to ssh withdev_os:'ios'#The hardware operating systempassword:'password'#The line level passwordfilter:'facts'#The list of items you want to retrieve. The filter keyword is _inclusive_ of what you wantregister:result#Ansible function for collecting output-name:printresults#Task Namedebug:msg="{{ result }}"#Display the collected output

Keeping with our example dir at the beginning of the Readme, we now have this layout:

[email protected] ~/workspace/ansible-playbooks 08:16 $ ls -la total 32 drwxrwxr-x 3 user user 4096 Feb 26 07:24 . drwxrwxr-x 8 user user 4096 Feb 25 16:32 .. -rw-rw-r-- 1 user user 404 Feb 26 07:24 inventory.yaml

You would run this playbook like as:

cd~/workspaceansible-playbookansible-playbooks/inventory.yaml

And it should produce output similar to this:

PLAY[Pushconfigtoswitchgroup.]********************************************TASK[getfactsfromdevice]***************************************************ok:[192.168.0.11]TASK[printresults]*******************************************************************ok:[192.168.0.11]=>{"msg":{"ansible_facts":{"facts":{"fqdn":"router1.not set","hostname":"router1","interface_list":["FastEthernet0/0","GigabitEthernet1/0","GigabitEthernet2/0","GigabitEthernet3/0","GigabitEthernet4/0","POS5/0","POS6/0"],"model":"7206VXR","os_version":"7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S7, RELEASE SOFTWARE (fc4)","serial_number":"0123456789","uptime":420,"vendor":"Cisco"}},"changed":false}}PLAYRECAP*********************************************************************192.168.0.11:ok=2changed=0unreachable=0failed=0

© Copyright 2021, David Barroso/Mircea Ulinic/Kirk Byers Revision .

Built with Sphinx using a theme provided by Read the Docs.
Sours: https://napalm.readthedocs.io/en/latest/tutorials/ansible-napalm.html
ansible napalm auto rollback

napalm-ansible

Collection of ansible modules that use napalm to retrieve data or modify configuration on networking devices.

The following modules are currently available:

    Action-Plugins should be used to make napalm-ansible more consistent with the behavior of other Ansible modules (eliminate the need of a provider and of individual task arguments for hostname, username, password, and timeout).

    They provide default parameters for the hostname, username, password and timeout paramters.

    • hostname is set to the first of provider {{ hostname }}, provider {{ host }}, play-context remote_addr.
    • username is set to the first of provider {{ username }}, play-context connection_user.
    • password is set to the first of provider {{ password }}, play-context password (-k argument).
    • timeout is set to the provider {{ timeout }}, or else defaults to 60 seconds (can't be passed via command-line).

    To install run either:

    Or:

    Once you have installed then you need to add napalm-ansible to your and paths in . If you used pip to install napalm-ansible, then you can just run the command and follow the instructions specified there.

    Cisco IOS

    Inventory (IOS)

    [cisco] cisco5 ansible_host=cisco5.domain.com [cisco:vars]# Must match Python that NAPALM is installed into.ansible_python_interpreter=/path/to/venv/bin/python ansible_network_os=ios ansible_connection=network_cli ansible_user=admin ansible_ssh_pass=my_password

    Playbook (IOS)

    --- - name: NAPALM get_facts and get_interfaceshosts: cisco5gather_facts: Falsetasks: - name: napalm get_factsnapalm_get_facts: filter: facts,interfaces - debug: var: napalm_facts

    Playbook Output (IOS)

    $ ansible-playbook napalm_get_ios.yml PLAY [NAPALM get_facts and get_interfaces] ********* TASK [napalm get_facts] **************************** ok: [cisco5] TASK [debug] *************************************** ok: [cisco5] => { "napalm_facts": { "fqdn": "cisco5.domain.com", "hostname": "cisco5", "interface_list": [ "GigabitEthernet1", "GigabitEthernet2", "GigabitEthernet3", "GigabitEthernet4", "GigabitEthernet5", "GigabitEthernet6", "GigabitEthernet7" ], "model": "CSR1000V", "os_version": "Virtual XE Software, Version 16.9.3, RELEASE SOFTWARE (fc2)", "serial_number": "9700000000P", "uptime": 13999500, "vendor": "Cisco" } } PLAY RECAP ***************************************** cisco5 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

    Arista EOS

    Inventory (EOS)

    [arista] arista5 ansible_host=arista5.domain.com [arista:vars]# Must match Python that NAPALM is installed into.ansible_python_interpreter=/path/to/venv/bin/python ansible_network_os=eos # Continue using 'network_cli' (NAPALM module itself will use eAPI)ansible_connection=network_cli ansible_user=admin ansible_ssh_pass=my_password

    Playbook (EOS)

    --- - name: NAPALM get_facts and get_interfaceshosts: arista5gather_facts: Falsetasks: - name: napalm get_factsnapalm_get_facts: filter: facts,interfaces - debug: var: napalm_facts

    Playbook Output (EOS)

    $ ansible-playbook napalm_get_arista.yml PLAY [NAPALM get_facts and get_interfaces] ********* TASK [napalm get_facts] **************************** ok: [arista5] TASK [debug] *************************************** ok: [arista5] => { "napalm_facts": { "fqdn": "arista5", "hostname": "arista5", "interface_list": [ "Ethernet1", "Ethernet2", "Ethernet3", "Ethernet4", "Ethernet5", "Ethernet6", "Ethernet7", "Management1", "Vlan1" ], "model": "vEOS", "os_version": "4.20.10M-10040268.42010M", "serial_number": "", "uptime": 12858220, "vendor": "Arista" } } PLAY RECAP **************************************** arista5 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

    Cisco NX-OS

    Inventory (NX-OS)

    [nxos] nxos1 ansible_host=nxos1.domain.com [nxos:vars]# Must match Python that NAPALM is installed into.ansible_python_interpreter=/path/to/venv/bin/python ansible_network_os=nxos # Continue using 'network_cli' (NAPALM module itself will use NX-API)ansible_connection=network_cli ansible_user=admin ansible_ssh_pass=my_password

    Playbook (NX-OS NX-API)

    --- - name: napalm hosts: nxos1gather_facts: Falsetasks: - name: Retrieve get_facts, get_interfacesnapalm_get_facts: filter: facts,interfaces# Specify NX-API Portoptional_args: port: 8443 - debug: var: napalm_facts

    Playbook Output (NX-OS NX-API)

    $ ansible-playbook napalm_get_nxos.yml PLAY [napalm] *************************************** TASK [Retrieve get_facts, get_interfaces] *********** ok: [nxos1] TASK [debug] **************************************** ok: [nxos1] => { "napalm_facts": { "fqdn": "nxos1.domain.com", "hostname": "nxos1", "interface_list": [ "mgmt0", "Ethernet1/1", "Ethernet1/2", "Ethernet1/3", "Ethernet1/4", "Vlan1" ], "model": "Nexus9000 9000v Chassis", "os_version": "", "serial_number": "9B00000000S", "uptime": 12767664, "vendor": "Cisco" } } PLAY RECAP ****************************************** nxos1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

    Playbook (NX-OS SSH)

    --- - name: napalm nxos_sshhosts: nxos1tasks: - name: Retrieve get_facts, get_interfacesnapalm_get_facts: filter: facts,interfaces# Instruct NAPALM module to use SSHdev_os: nxos_ssh - debug: var: napalm_facts

    Playbook Output (NX-OS SSH)

    $ ansible-playbook napalm_get_nxos_ssh.yml PLAY [napalm nxos_ssh] ******************************** TASK [Retrieve get_facts, get_interfaces] ************* ok: [nxos1] TASK [debug] ****************************************** ok: [nxos1] => { "napalm_facts": { "fqdn": "nxos1.domain.com", "hostname": "nxos1", "interface_list": [ "mgmt0", "Ethernet1/1", "Ethernet1/2", "Ethernet1/3", "Ethernet1/4", "Vlan1" ], "model": "Nexus9000 9000v Chassis", "os_version": "9.2(3)", "serial_number": "9000000000S", "uptime": 12767973, "vendor": "Cisco" } } PLAY RECAP ******************************************** nxos1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

    Juniper Junos

    Inventory (Junos)

    [juniper] juniper1 ansible_host=juniper1.domain.com [juniper:vars]# Must match Python that NAPALM is installed into.ansible_python_interpreter=/path/to/venv/bin/python ansible_network_os=junos # Continue using 'network_cli' (NAPALM module itself will use NETCONF)ansible_connection=network_cli ansible_user=admin ansible_ssh_pass=my_password

    Playbook (Junos)

    --- - name: napalm hosts: junipergather_facts: Falsetasks: - name: Retrieve get_facts, get_interfacesnapalm_get_facts: filter: facts,interfaces - debug: var: napalm_facts

    Playbook Output (Junos)

    $ ansible-playbook napalm_get_junos.yml -i PLAY [napalm] ***************************************** TASK [Retrieve get_facts, get_interfaces] ************* ok: [juniper1] TASK [debug] ****************************************** ok: [juniper1] => { "napalm_facts": { "fqdn": "juniper1", "hostname": "juniper1", "interface_list": [ "fe-0/0/0", "gr-0/0/0", "ip-0/0/0", "lt-0/0/0", "mt-0/0/0", "sp-0/0/0", "fe-0/0/1", "fe-0/0/2", "fe-0/0/3", "fe-0/0/4", "fe-0/0/5", "fe-0/0/6", "fe-0/0/7", "gre", "ipip", "irb", "lo0", "lsi", "mtun", "pimd", "pime", "pp0", "ppd0", "ppe0", "st0", "tap", "vlan" ], "model": "SRX100H2", "os_version": "12.1X44-D35.5", "serial_number": "BZ0000000008", "uptime": 119586097, "vendor": "Juniper" } } PLAY RECAP ******************************************* juniper1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

    Example to install config on a device

    - assemble: src=../compiled/{{ inventory_hostname }}/ dest=../compiled/{{ inventory_hostname }}/running.conf - napalm_install_config: hostname={{ inventory_hostname }} username={{ user }} dev_os={{ os }} password={{ passwd }} config_file=../compiled/{{ inventory_hostname }}/running.conf commit_changes={{ commit_changes }} replace_config={{ replace_config }} get_diffs=True diff_file=../compiled/{{ inventory_hostname }}/diff

    Example to get compliance report

    - name: GET VALIDATION REPORTnapalm_validate: username: "{{ user }}"password: "{{ passwd }}"hostname: "{{ inventory_hostname }}"dev_os: "{{ dev_os }}"validation_file: validate.yml
    Sours: https://github.com/napalm-automation/napalm-ansible

    Ansible napalm

    Network automation is not just about configuration management. Equally, if not more, important is validation of the state and models. After all, what is automating configuration changes good for if you don't know whether the end state of the system is correct?

    In the first blog post in the series I'll briefly describe Napalm, and it's validation feature, followed by an example Ansible playbook that we will use to automatically validate LLDP neighbours. This can be used to makes sure newly deployed devices are correctly patched, or to confirm that the existing environment is connected the way we think it is.

    Contents


    Introduction

    NAPALM, in case you haven't heard of it, is a Python library that attempts to provide a unified API for interacting with Operating Systems running on network devices from many different vendors. The idea is to let NAPALM work out how to connect, configure, and retrieve data from a particular OS. You use the same API calls for all devices, no matter the vendor or OS, and get output in a standardised format. If you want to learn more, and I highly recommend that you do, head over to https://napalm-automation.net/ .

    In my posts I will be using NAPALM in Ansible Playbooks by utilising NAPALM's Ansible modules. Let's now move on to the main topic.

    Validating LLDP neighbours

    Napalm validation leverages its built in getters, and it uses YAML files containing description of the desired state. NAPALM expects our YAML files to conform to the data structure these getters use, so if you're unsure of how your YAML should look like, just run the 'get_facts' module and inspect the output.

    For example, the below shows result of retrieving LLDP neighbours from a test device:

    Using the above output we can create a YAML file we will use to validate LLDP neighbours. NAPALM lets us decide which attributes we want to validate, so we can include only a subset of the device's state. Let's say that we want to verify both, hostname and port, for the neighbours seen on Ethernet1 and Ethernet3, but only hostname for the neighbour connected to Ethernet2.

    Our YAML file will look like so:

    Armed with the validation YAML, we can write our playbook.

    The most important task here is the one using 'napalm_validate' module. We feed it YAML files describing the state and register the output. Once the output is registered we display the full compliance report and check if the actual state matches with our desired state. If it doesn't, we stop execution of the playbook using 'fail' module. Otherwise we let the playbook run to completion.

    Let's run this playbook, against vEOS-01, and see what happens.

    Success! NAPALM is happily telling us that the actual state matches our expectations.

    Now, we will run the same playbook against a different device, vEOS-02, whose validation YAML file doesn't match the actual state.

    As expected, playbook failed as NAPALM detected discrepancies between the desired state and the state found on the device. We see that patches for interfaces Ethernet1 and Ethernet2 have been swapped around, all too common occurrence in many DCs. NAPALM dutifully reported the actual values and the values it found in the YAML file.

    What's next

    This concludes the first post in the series on using NAPALM's validation feature. I hope that even these tiny examples showed you how powerful this tool can be, and how well it complements configuration management side of automation.

    In the next posts we will talk about using more advanced validation options offered by NAPALM, that will allow us to be more precise when expressing our desired state. We'll also have some more examples of the state validation.

    We will finish the series with the talk on using service/infrastructure models to automatically generate validation files. I don't recommend creating YAML files by hand if you have more than a handful of devices, so we will call upon powers of automation to make our lives easier.

    Playbook listings


    get_facts_lldp.yml


    validate_lldp.yml

    You can also get full listings of the playbooks from my GitHub repository:
    https://github.com/progala/ttl255.com/tree/master/ansible/napalm-validate-p1

    Sours: http://ttl255.com/napalm-ansible-automatic-validation-p1/
    Nornir vs Ansible: Which Automation Tool Is Better?

    .

    Now discussing:

    .



    254 255 256 257 258